From: Greg Kroah-Hartman Date: Sun, 14 Oct 2012 12:48:29 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.47~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1af111dbe847e4c09695bbece599d7a3ca27fd8d;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: arm-7541-1-add-arm-errata-775420-workaround.patch firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch iscsi-target-add-explicit-set-of-cache_dynamic_acls-1-for-tpg-demo-mode.patch iscsi-target-bump-defaults-for-nopin_timeout-nopin_response_timeout-values.patch iscsi-target-correctly-set-0xffffffff-field-within-iscsi_op_reject-pdu.patch iscsit-remove-incorrect-unlock-in-iscsit_build_sendtargets_resp.patch scsi-hpsa-dial-down-lockup-detection-during-firmware-flash.patch scsi-scsi_debug-fix-off-by-one-bug-when-unmapping-region.patch scsi-storvsc-account-for-in-transit-packets-in-the-reset-path.patch sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch --- diff --git a/queue-3.4/arm-7541-1-add-arm-errata-775420-workaround.patch b/queue-3.4/arm-7541-1-add-arm-errata-775420-workaround.patch new file mode 100644 index 00000000000..becec63dda2 --- /dev/null +++ b/queue-3.4/arm-7541-1-add-arm-errata-775420-workaround.patch @@ -0,0 +1,62 @@ +From 7253b85cc62d6ff84143d96fe6cd54f73736f4d7 Mon Sep 17 00:00:00 2001 +From: Simon Horman +Date: Fri, 28 Sep 2012 02:12:45 +0100 +Subject: ARM: 7541/1: Add ARM ERRATA 775420 workaround + +From: Simon Horman + +commit 7253b85cc62d6ff84143d96fe6cd54f73736f4d7 upstream. + +arm: Add ARM ERRATA 775420 workaround + +Workaround for the 775420 Cortex-A9 (r2p2, r2p6,r2p8,r2p10,r3p0) erratum. +In case a date cache maintenance operation aborts with MMU exception, it +might cause the processor to deadlock. This workaround puts DSB before +executing ISB if an abort may occur on cache maintenance. + +Based on work by Kouei Abe and feedback from Catalin Marinas. + +Signed-off-by: Kouei Abe +[ horms@verge.net.au: Changed to implementation + suggested by catalin.marinas@arm.com ] +Acked-by: Catalin Marinas +Signed-off-by: Simon Horman +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/Kconfig | 10 ++++++++++ + arch/arm/mm/cache-v7.S | 3 +++ + 2 files changed, 13 insertions(+) + +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1405,6 +1405,16 @@ config PL310_ERRATA_769419 + on systems with an outer cache, the store buffer is drained + explicitly. + ++config ARM_ERRATA_775420 ++ bool "ARM errata: A data cache maintenance operation which aborts, might lead to deadlock" ++ depends on CPU_V7 ++ help ++ This option enables the workaround for the 775420 Cortex-A9 (r2p2, ++ r2p6,r2p8,r2p10,r3p0) erratum. In case a date cache maintenance ++ operation aborts with MMU exception, it might cause the processor ++ to deadlock. This workaround puts DSB before executing ISB if ++ an abort may occur on cache maintenance. ++ + endmenu + + source "arch/arm/common/Kconfig" +--- a/arch/arm/mm/cache-v7.S ++++ b/arch/arm/mm/cache-v7.S +@@ -211,6 +211,9 @@ ENTRY(v7_coherent_user_range) + * isn't mapped, just try the next page. + */ + 9001: ++#ifdef CONFIG_ARM_ERRATA_775420 ++ dsb ++#endif + mov r12, r12, lsr #12 + mov r12, r12, lsl #12 + add r12, r12, #4096 diff --git a/queue-3.4/firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch b/queue-3.4/firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch new file mode 100644 index 00000000000..82ca2fa9e95 --- /dev/null +++ b/queue-3.4/firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch @@ -0,0 +1,50 @@ +From 790198f74c9d1b46b6a89504361b1a844670d050 Mon Sep 17 00:00:00 2001 +From: Stefan Richter +Date: Sat, 6 Oct 2012 14:12:56 +0200 +Subject: firewire: cdev: fix user memory corruption (i386 userland on amd64 kernel) + +From: Stefan Richter + +commit 790198f74c9d1b46b6a89504361b1a844670d050 upstream. + +Fix two bugs of the /dev/fw* character device concerning the +FW_CDEV_IOC_GET_INFO ioctl with nonzero fw_cdev_get_info.bus_reset. +(Practically all /dev/fw* clients issue this ioctl right after opening +the device.) + +Both bugs are caused by sizeof(struct fw_cdev_event_bus_reset) being 36 +without natural alignment and 40 with natural alignment. + + 1) Memory corruption, affecting i386 userland on amd64 kernel: + Userland reserves a 36 bytes large buffer, kernel writes 40 bytes. + This has been first found and reported against libraw1394 if + compiled with gcc 4.7 which happens to order libraw1394's stack such + that the bug became visible as data corruption. + + 2) Information leak, affecting all kernel architectures except i386: + 4 bytes of random kernel stack data were leaked to userspace. + +Hence limit the respective copy_to_user() to the 32-bit aligned size of +struct fw_cdev_event_bus_reset. + +Reported-by: Simon Kirby +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/core-cdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/firewire/core-cdev.c ++++ b/drivers/firewire/core-cdev.c +@@ -471,8 +471,8 @@ static int ioctl_get_info(struct client + client->bus_reset_closure = a->bus_reset_closure; + if (a->bus_reset != 0) { + fill_bus_reset_event(&bus_reset, client); +- ret = copy_to_user(u64_to_uptr(a->bus_reset), +- &bus_reset, sizeof(bus_reset)); ++ /* unaligned size of bus_reset is 36 bytes */ ++ ret = copy_to_user(u64_to_uptr(a->bus_reset), &bus_reset, 36); + } + if (ret == 0 && list_empty(&client->link)) + list_add_tail(&client->link, &client->device->client_list); diff --git a/queue-3.4/iscsi-target-add-explicit-set-of-cache_dynamic_acls-1-for-tpg-demo-mode.patch b/queue-3.4/iscsi-target-add-explicit-set-of-cache_dynamic_acls-1-for-tpg-demo-mode.patch new file mode 100644 index 00000000000..a6687165176 --- /dev/null +++ b/queue-3.4/iscsi-target-add-explicit-set-of-cache_dynamic_acls-1-for-tpg-demo-mode.patch @@ -0,0 +1,57 @@ +From 38b11bae6ba02da352340aff12ee25755977b222 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sun, 30 Sep 2012 12:20:02 -0700 +Subject: iscsi-target: Add explicit set of cache_dynamic_acls=1 for TPG demo-mode + +From: Nicholas Bellinger + +commit 38b11bae6ba02da352340aff12ee25755977b222 upstream. + +We've had reports in the past about this specific case, so it's time to +go ahead and explicitly set cache_dynamic_acls=1 for generate_node_acls=1 +(TPG demo-mode) operation. + +During normal generate_node_acls=0 operation with explicit NodeACLs -> +se_node_acl memory is persistent to the configfs group located at +/sys/kernel/config/target/$TARGETNAME/$TPGT/acls/$INITIATORNAME, so in +the generate_node_acls=1 case we want the reservation logic to reference +existing per initiator IQN se_node_acl memory (not to generate a new +se_node_acl), so go ahead and always set cache_dynamic_acls=1 when +TPG demo-mode is enabled. + +Reported-by: Ronnie Sahlberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_tpg.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/target/iscsi/iscsi_target_tpg.c ++++ b/drivers/target/iscsi/iscsi_target_tpg.c +@@ -672,6 +672,12 @@ int iscsit_ta_generate_node_acls( + pr_debug("iSCSI_TPG[%hu] - Generate Initiator Portal Group ACLs: %s\n", + tpg->tpgt, (a->generate_node_acls) ? "Enabled" : "Disabled"); + ++ if (flag == 1 && a->cache_dynamic_acls == 0) { ++ pr_debug("Explicitly setting cache_dynamic_acls=1 when " ++ "generate_node_acls=1\n"); ++ a->cache_dynamic_acls = 1; ++ } ++ + return 0; + } + +@@ -711,6 +717,12 @@ int iscsit_ta_cache_dynamic_acls( + return -EINVAL; + } + ++ if (a->generate_node_acls == 1 && flag == 0) { ++ pr_debug("Skipping cache_dynamic_acls=0 when" ++ " generate_node_acls=1\n"); ++ return 0; ++ } ++ + a->cache_dynamic_acls = flag; + pr_debug("iSCSI_TPG[%hu] - Cache Dynamic Initiator Portal Group" + " ACLs %s\n", tpg->tpgt, (a->cache_dynamic_acls) ? diff --git a/queue-3.4/iscsi-target-bump-defaults-for-nopin_timeout-nopin_response_timeout-values.patch b/queue-3.4/iscsi-target-bump-defaults-for-nopin_timeout-nopin_response_timeout-values.patch new file mode 100644 index 00000000000..123262ce666 --- /dev/null +++ b/queue-3.4/iscsi-target-bump-defaults-for-nopin_timeout-nopin_response_timeout-values.patch @@ -0,0 +1,51 @@ +From cf0eb28d3ba60098865bf7dbcbfdd6b1cc483e3b Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Wed, 3 Oct 2012 15:42:48 -0700 +Subject: iscsi-target: Bump defaults for nopin_timeout + nopin_response_timeout values + +From: Nicholas Bellinger + +commit cf0eb28d3ba60098865bf7dbcbfdd6b1cc483e3b upstream. + +This patch increases the default for nopin_timeout to 15 seconds (wait +between sending a new NopIN ping) and nopin_response_timeout to 30 seconds +(wait for NopOUT response before failing the connection) in order to avoid +false positives by iSCSI Initiators who are not always able (under load) to +respond to NopIN echo PING requests within the current 5 second window. + +False positives have been observed recently using Open-iSCSI code on v3.3.x +with heavy large-block READ workloads over small MTU 1 Gb/sec ports, and +increasing these values to more reasonable defaults significantly reduces +the possibility of false positive NopIN response timeout events under +this specific workload. + +Historically these have been set low to initiate connection recovery as +soon as possible if we don't hear a ping back, but for modern v3.x code +on 1 -> 10 Gb/sec ports these new defaults make alot more sense. + +Signed-off-by: Nicholas Bellinger +Cc: Christoph Hellwig +Cc: Andy Grover +Cc: Mike Christie +Cc: Hannes Reinecke +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_core.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_core.h ++++ b/drivers/target/iscsi/iscsi_target_core.h +@@ -25,10 +25,10 @@ + #define NA_DATAOUT_TIMEOUT_RETRIES 5 + #define NA_DATAOUT_TIMEOUT_RETRIES_MAX 15 + #define NA_DATAOUT_TIMEOUT_RETRIES_MIN 1 +-#define NA_NOPIN_TIMEOUT 5 ++#define NA_NOPIN_TIMEOUT 15 + #define NA_NOPIN_TIMEOUT_MAX 60 + #define NA_NOPIN_TIMEOUT_MIN 3 +-#define NA_NOPIN_RESPONSE_TIMEOUT 5 ++#define NA_NOPIN_RESPONSE_TIMEOUT 30 + #define NA_NOPIN_RESPONSE_TIMEOUT_MAX 60 + #define NA_NOPIN_RESPONSE_TIMEOUT_MIN 3 + #define NA_RANDOM_DATAIN_PDU_OFFSETS 0 diff --git a/queue-3.4/iscsi-target-correctly-set-0xffffffff-field-within-iscsi_op_reject-pdu.patch b/queue-3.4/iscsi-target-correctly-set-0xffffffff-field-within-iscsi_op_reject-pdu.patch new file mode 100644 index 00000000000..60d3adfac26 --- /dev/null +++ b/queue-3.4/iscsi-target-correctly-set-0xffffffff-field-within-iscsi_op_reject-pdu.patch @@ -0,0 +1,35 @@ +From f25590f39d543272f7ae7b00d533359c8d7ff331 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sat, 22 Sep 2012 17:21:06 -0700 +Subject: iscsi-target: Correctly set 0xffffffff field within ISCSI_OP_REJECT PDU + +From: Nicholas Bellinger + +commit f25590f39d543272f7ae7b00d533359c8d7ff331 upstream. + +This patch adds a missing iscsi_reject->ffffffff assignment within +iscsit_send_reject() code to properly follow RFC-3720 Section 10.17 +Bytes 16 -> 19 for the PDU format definition of ISCSI_OP_REJECT. + +We've not seen any initiators care about this bytes in practice, but +as Ronnie reported this was causing trouble with wireshark packet +decoding lets go ahead and fix this up now. + +Reported-by: Ronnie Sahlberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -3349,6 +3349,7 @@ static int iscsit_send_reject( + hdr->opcode = ISCSI_OP_REJECT; + hdr->flags |= ISCSI_FLAG_CMD_FINAL; + hton24(hdr->dlength, ISCSI_HDR_LEN); ++ hdr->ffffffff = 0xffffffff; + cmd->stat_sn = conn->stat_sn++; + hdr->statsn = cpu_to_be32(cmd->stat_sn); + hdr->exp_cmdsn = cpu_to_be32(conn->sess->exp_cmd_sn); diff --git a/queue-3.4/iscsit-remove-incorrect-unlock-in-iscsit_build_sendtargets_resp.patch b/queue-3.4/iscsit-remove-incorrect-unlock-in-iscsit_build_sendtargets_resp.patch new file mode 100644 index 00000000000..924c2e5d5a7 --- /dev/null +++ b/queue-3.4/iscsit-remove-incorrect-unlock-in-iscsit_build_sendtargets_resp.patch @@ -0,0 +1,31 @@ +From 904753da183566c71211d23c169a80184648c121 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Wed, 26 Sep 2012 08:00:37 -0400 +Subject: iscsit: remove incorrect unlock in iscsit_build_sendtargets_resp + +From: Christoph Hellwig + +commit 904753da183566c71211d23c169a80184648c121 upstream. + +Fix a potential multiple spin-unlock -> deadlock scenario during the +overflow check within iscsit_build_sendtargets_resp() as found by +sparse static checking. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -3196,7 +3196,6 @@ static int iscsit_build_sendtargets_resp + len += 1; + + if ((len + payload_len) > buffer_len) { +- spin_unlock(&tiqn->tiqn_tpg_lock); + end_of_buf = 1; + goto eob; + } diff --git a/queue-3.4/scsi-hpsa-dial-down-lockup-detection-during-firmware-flash.patch b/queue-3.4/scsi-hpsa-dial-down-lockup-detection-during-firmware-flash.patch new file mode 100644 index 00000000000..782cdbc8700 --- /dev/null +++ b/queue-3.4/scsi-hpsa-dial-down-lockup-detection-during-firmware-flash.patch @@ -0,0 +1,140 @@ +From e85c59746957fd6e3595d02cf614370056b5816e Mon Sep 17 00:00:00 2001 +From: "Stephen M. Cameron" +Date: Tue, 1 May 2012 11:43:42 -0500 +Subject: SCSI: hpsa: dial down lockup detection during firmware flash + +From: "Stephen M. Cameron" + +commit e85c59746957fd6e3595d02cf614370056b5816e upstream. + +Dial back the aggressiveness of the controller lockup detection thread. +Currently it will declare the controller to be locked up if it goes +for 10 seconds with no interrupts and no change in the heartbeat +register. Dial back this to 30 seconds with no heartbeat change, and +also snoop the ioctl path and if a firmware flash command is detected, +dial it back further to 4 minutes until the firmware flash command +completes. The reason for this is that during the firmware flash +operation, the controller apparently doesn't update the heartbeat +register as frequently as it is supposed to, and we can get a false +positive. + +Signed-off-by: Stephen M. Cameron +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/hpsa.c | 39 ++++++++++++++++++++++++++++++++++----- + drivers/scsi/hpsa.h | 2 ++ + drivers/scsi/hpsa_cmd.h | 1 + + 3 files changed, 37 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -548,12 +548,42 @@ static void set_performant_mode(struct c + c->busaddr |= 1 | (h->blockFetchTable[c->Header.SGList] << 1); + } + ++static int is_firmware_flash_cmd(u8 *cdb) ++{ ++ return cdb[0] == BMIC_WRITE && cdb[6] == BMIC_FLASH_FIRMWARE; ++} ++ ++/* ++ * During firmware flash, the heartbeat register may not update as frequently ++ * as it should. So we dial down lockup detection during firmware flash. and ++ * dial it back up when firmware flash completes. ++ */ ++#define HEARTBEAT_SAMPLE_INTERVAL_DURING_FLASH (240 * HZ) ++#define HEARTBEAT_SAMPLE_INTERVAL (30 * HZ) ++static void dial_down_lockup_detection_during_fw_flash(struct ctlr_info *h, ++ struct CommandList *c) ++{ ++ if (!is_firmware_flash_cmd(c->Request.CDB)) ++ return; ++ atomic_inc(&h->firmware_flash_in_progress); ++ h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL_DURING_FLASH; ++} ++ ++static void dial_up_lockup_detection_on_fw_flash_complete(struct ctlr_info *h, ++ struct CommandList *c) ++{ ++ if (is_firmware_flash_cmd(c->Request.CDB) && ++ atomic_dec_and_test(&h->firmware_flash_in_progress)) ++ h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL; ++} ++ + static void enqueue_cmd_and_start_io(struct ctlr_info *h, + struct CommandList *c) + { + unsigned long flags; + + set_performant_mode(h, c); ++ dial_down_lockup_detection_during_fw_flash(h, c); + spin_lock_irqsave(&h->lock, flags); + addQ(&h->reqQ, c); + h->Qdepth++; +@@ -3049,6 +3079,7 @@ static inline int bad_tag(struct ctlr_in + static inline void finish_cmd(struct CommandList *c, u32 raw_tag) + { + removeQ(c); ++ dial_up_lockup_detection_on_fw_flash_complete(c->h, c); + if (likely(c->cmd_type == CMD_SCSI)) + complete_scsi_command(c); + else if (c->cmd_type == CMD_IOCTL_PEND) +@@ -4189,9 +4220,6 @@ static void controller_lockup_detected(s + spin_unlock_irqrestore(&h->lock, flags); + } + +-#define HEARTBEAT_SAMPLE_INTERVAL (10 * HZ) +-#define HEARTBEAT_CHECK_MINIMUM_INTERVAL (HEARTBEAT_SAMPLE_INTERVAL / 2) +- + static void detect_controller_lockup(struct ctlr_info *h) + { + u64 now; +@@ -4202,7 +4230,7 @@ static void detect_controller_lockup(str + now = get_jiffies_64(); + /* If we've received an interrupt recently, we're ok. */ + if (time_after64(h->last_intr_timestamp + +- (HEARTBEAT_CHECK_MINIMUM_INTERVAL), now)) ++ (h->heartbeat_sample_interval), now)) + return; + + /* +@@ -4211,7 +4239,7 @@ static void detect_controller_lockup(str + * otherwise don't care about signals in this thread. + */ + if (time_after64(h->last_heartbeat_timestamp + +- (HEARTBEAT_CHECK_MINIMUM_INTERVAL), now)) ++ (h->heartbeat_sample_interval), now)) + return; + + /* If heartbeat has not changed since we last looked, we're not ok. */ +@@ -4253,6 +4281,7 @@ static void add_ctlr_to_lockup_detector_ + { + unsigned long flags; + ++ h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL; + spin_lock_irqsave(&lockup_detector_lock, flags); + list_add_tail(&h->lockup_list, &hpsa_ctlr_list); + spin_unlock_irqrestore(&lockup_detector_lock, flags); +--- a/drivers/scsi/hpsa.h ++++ b/drivers/scsi/hpsa.h +@@ -123,6 +123,8 @@ struct ctlr_info { + u64 last_intr_timestamp; + u32 last_heartbeat; + u64 last_heartbeat_timestamp; ++ u32 heartbeat_sample_interval; ++ atomic_t firmware_flash_in_progress; + u32 lockup_detected; + struct list_head lockup_list; + }; +--- a/drivers/scsi/hpsa_cmd.h ++++ b/drivers/scsi/hpsa_cmd.h +@@ -162,6 +162,7 @@ struct SenseSubsystem_info { + #define BMIC_WRITE 0x27 + #define BMIC_CACHE_FLUSH 0xc2 + #define HPSA_CACHE_FLUSH 0x01 /* C2 was already being used by HPSA */ ++#define BMIC_FLASH_FIRMWARE 0xF7 + + /* Command List Structure */ + union SCSI3Addr { diff --git a/queue-3.4/scsi-scsi_debug-fix-off-by-one-bug-when-unmapping-region.patch b/queue-3.4/scsi-scsi_debug-fix-off-by-one-bug-when-unmapping-region.patch new file mode 100644 index 00000000000..9a7fd0856cf --- /dev/null +++ b/queue-3.4/scsi-scsi_debug-fix-off-by-one-bug-when-unmapping-region.patch @@ -0,0 +1,47 @@ +From bc977749e967daa56de1922cf4cb38525631c51c Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Thu, 16 Aug 2012 16:38:45 +0200 +Subject: SCSI: scsi_debug: Fix off-by-one bug when unmapping region + +From: Lukas Czerner + +commit bc977749e967daa56de1922cf4cb38525631c51c upstream. + +Currently it is possible to unmap one more block than user requested to +due to the off-by-one error in unmap_region(). This is probably due to +the fact that the end variable despite its name actually points to the +last block to unmap + 1. However in the condition it is handled as the +last block of the region to unmap. + +The bug was not previously spotted probably due to the fact that the +region was not zeroed, which has changed with commit +be1dd78de5686c062bb3103f9e86d444a10ed783. With that commit we were able +to corrupt the ext4 file system on 256M scsi_debug device with LBPRZ +enabled using fstrim. + +Since the 'end' semantic is the same in several functions there this +commit just fixes the condition to use the 'end' variable correctly in +that context. + +Reported-by: Paolo Bonzini +Signed-off-by: Lukas Czerner +Reviewed-by: Martin K. Petersen +Acked-by: Douglas Gilbert +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -2054,7 +2054,7 @@ static void unmap_region(sector_t lba, u + block = lba + alignment; + rem = do_div(block, granularity); + +- if (rem == 0 && lba + granularity <= end && block < map_size) { ++ if (rem == 0 && lba + granularity < end && block < map_size) { + clear_bit(block, map_storep); + if (scsi_debug_lbprz) + memset(fake_storep + diff --git a/queue-3.4/scsi-storvsc-account-for-in-transit-packets-in-the-reset-path.patch b/queue-3.4/scsi-storvsc-account-for-in-transit-packets-in-the-reset-path.patch new file mode 100644 index 00000000000..39e88c52f29 --- /dev/null +++ b/queue-3.4/scsi-storvsc-account-for-in-transit-packets-in-the-reset-path.patch @@ -0,0 +1,38 @@ +From 5c1b10ab7f93d24f29b5630286e323d1c5802d5c Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Tue, 2 Oct 2012 11:03:31 -0700 +Subject: SCSI: storvsc: Account for in-transit packets in the RESET path + +From: "K. Y. Srinivasan" + +commit 5c1b10ab7f93d24f29b5630286e323d1c5802d5c upstream. + +Properly account for I/O in transit before returning from the RESET call. +In the absense of this patch, we could have a situation where the host may +respond to a command that was issued prior to the issuance of the RESET +command at some arbitrary time after responding to the RESET command. +Currently, the host does not do anything with the RESET command. + +Signed-off-by: K. Y. Srinivasan +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/storvsc_drv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1211,7 +1211,12 @@ static int storvsc_host_reset_handler(st + /* + * At this point, all outstanding requests in the adapter + * should have been flushed out and return to us ++ * There is a potential race here where the host may be in ++ * the process of responding when we return from here. ++ * Just wait for all in-transit packets to be accounted for ++ * before we return from here. + */ ++ storvsc_wait_to_drain(stor_device); + + return SUCCESS; + } diff --git a/queue-3.4/series b/queue-3.4/series index fdca38e93e3..4d7e525b1fe 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -8,3 +8,13 @@ alsa-hda-do-not-detect-jack-on-internal-speakers-for-realtek.patch alsa-hda-fix-memory-leaks-at-error-path-in-patch_cirrus.c.patch mips-kgdb-fix-recursive-page-fault-with-config_kprobes.patch tmpfs-ceph-gfs2-isofs-reiserfs-xfs-fix-fh_len-checking.patch +scsi-hpsa-dial-down-lockup-detection-during-firmware-flash.patch +iscsi-target-correctly-set-0xffffffff-field-within-iscsi_op_reject-pdu.patch +iscsit-remove-incorrect-unlock-in-iscsit_build_sendtargets_resp.patch +iscsi-target-add-explicit-set-of-cache_dynamic_acls-1-for-tpg-demo-mode.patch +iscsi-target-bump-defaults-for-nopin_timeout-nopin_response_timeout-values.patch +scsi-storvsc-account-for-in-transit-packets-in-the-reset-path.patch +scsi-scsi_debug-fix-off-by-one-bug-when-unmapping-region.patch +arm-7541-1-add-arm-errata-775420-workaround.patch +firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch +sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch diff --git a/queue-3.4/sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch b/queue-3.4/sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch new file mode 100644 index 00000000000..e48916ead26 --- /dev/null +++ b/queue-3.4/sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch @@ -0,0 +1,86 @@ +From a519fc7a70d1a918574bb826cc6905b87b482eb9 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 12 Sep 2012 16:49:15 -0400 +Subject: SUNRPC: Ensure that the TCP socket is closed when in CLOSE_WAIT + +From: Trond Myklebust + +commit a519fc7a70d1a918574bb826cc6905b87b482eb9 upstream. + +Instead of doing a shutdown() call, we need to do an actual close(). +Ditto if/when the server is sending us junk RPC headers. + +Signed-off-by: Trond Myklebust +Tested-by: Simon Kirby +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtsock.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -1028,6 +1028,16 @@ static void xs_udp_data_ready(struct soc + read_unlock_bh(&sk->sk_callback_lock); + } + ++/* ++ * Helper function to force a TCP close if the server is sending ++ * junk and/or it has put us in CLOSE_WAIT ++ */ ++static void xs_tcp_force_close(struct rpc_xprt *xprt) ++{ ++ set_bit(XPRT_CONNECTION_CLOSE, &xprt->state); ++ xprt_force_disconnect(xprt); ++} ++ + static inline void xs_tcp_read_fraghdr(struct rpc_xprt *xprt, struct xdr_skb_reader *desc) + { + struct sock_xprt *transport = container_of(xprt, struct sock_xprt, xprt); +@@ -1054,7 +1064,7 @@ static inline void xs_tcp_read_fraghdr(s + /* Sanity check of the record length */ + if (unlikely(transport->tcp_reclen < 8)) { + dprintk("RPC: invalid TCP record fragment length\n"); +- xprt_force_disconnect(xprt); ++ xs_tcp_force_close(xprt); + return; + } + dprintk("RPC: reading TCP record fragment of length %d\n", +@@ -1135,7 +1145,7 @@ static inline void xs_tcp_read_calldir(s + break; + default: + dprintk("RPC: invalid request message type\n"); +- xprt_force_disconnect(&transport->xprt); ++ xs_tcp_force_close(&transport->xprt); + } + xs_tcp_check_fraghdr(transport); + } +@@ -1458,6 +1468,8 @@ static void xs_tcp_cancel_linger_timeout + static void xs_sock_mark_closed(struct rpc_xprt *xprt) + { + smp_mb__before_clear_bit(); ++ clear_bit(XPRT_CONNECTION_ABORT, &xprt->state); ++ clear_bit(XPRT_CONNECTION_CLOSE, &xprt->state); + clear_bit(XPRT_CLOSE_WAIT, &xprt->state); + clear_bit(XPRT_CLOSING, &xprt->state); + smp_mb__after_clear_bit(); +@@ -1515,8 +1527,8 @@ static void xs_tcp_state_change(struct s + break; + case TCP_CLOSE_WAIT: + /* The server initiated a shutdown of the socket */ +- xprt_force_disconnect(xprt); + xprt->connect_cookie++; ++ xs_tcp_force_close(xprt); + case TCP_CLOSING: + /* + * If the server closed down the connection, make sure that +@@ -2159,8 +2171,7 @@ static void xs_tcp_setup_socket(struct w + /* We're probably in TIME_WAIT. Get rid of existing socket, + * and retry + */ +- set_bit(XPRT_CONNECTION_CLOSE, &xprt->state); +- xprt_force_disconnect(xprt); ++ xs_tcp_force_close(xprt); + break; + case -ECONNREFUSED: + case -ECONNRESET: